1 / 41

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier. Efficient Public-Key Cryptosystem Provably Secure against Active Adversaries. Presenter: 陳國璋. ASIACRYPT'99, LNCS 1716, pp. 165-179, 1999.

lundbergk
Download Presentation

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public-Key Cryptosystems Based on Composite Degree Residuosity Classes EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient Public-Key Cryptosystem Provably Secure against Active Adversaries Presenter: 陳國璋 ASIACRYPT'99, LNCS 1716, pp. 165-179, 1999. By Pascal Paillier and David Pointcheval

  2. Outline • Notation and math. assumption • Scheme 1

  3. Notation and math. Assumption(1/9) • CR[n] problem • deciding nth residuosity. • Distinguishing nth residues from non nth residues.

  4. Notation and math. Assumption(2/9) • g∈Zn2* • εg: Zn × Zn* → Zn2* be a integer-valued function defined by • εg(x,y) = gx yn mod n2

  5. Notation and math. Assumption(3/9) • Given base g∈B and w∈Zn2*, we want to find x∈Zn and y∈Zn* s.t. εg(x, y) = gx yn mod n2 = w

  6. Notation and math. Assumption(4/9)

  7. Notation and math. Assumption(5/9) • Class[n] problem • nth Residuosity Class Problem of base g • Computing the class function in base g • given w∈Zn2*, compute [w]g • [w]g = x • x is the smallest non-negative integer s.tεg(x, y) = gx yn mod n2 = w • random-self-reducible problem • the bases g are independent

  8. Notation and math. Assumption(6/9)

  9. Notation and math. Assumption(7/9) • D-Class[n] problem • decisional Class[n] problem • given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or not

  10. Notation and math. Assumption(8/9) • Fact[n] • The factorization of n. • RSA[n] • c = me mod n • Extracting eth roots modulo n • CR[n] • deciding nth residuosity.

  11. Notation and math. Assumption(9/9) • Class[n] • Computational composite residuosity class problem • given w∈Zn2* and g∈B, compute [w]g • D-Class[n] • decisional Class[n] problem • given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or not

  12. Notions of Security(1/3) • Indistinguishability of encryption(IND) • Non-malleability(NM) • Given the encryption of a plaintext x, the attacker cannot produce the encryption of a meaningfully related plaintext x’.(For example, x’=x+1)

  13. Notions of Security(2/3) • Chosen-plaintext attack (CPA) • Non-adaptive chosen-ciphertext attack (CCA1) • Adaptive chosen-ciphertext attack (CCA2) • IND-CCA2 and NM-CCA2 are strictly equivalent notions.

  14. Notions of Security(3/3)

  15. Random Oracle Model • Hash functions are considered to be ideal. i.e. perfect random. • From a security viewpoint, this impacts by giving the attacker an additional access to the random oracles of the scheme.

  16. Outline • Notation and math. assumption • Scheme 1

  17. Scheme 1(1/4) • New probabilistic encryption scheme

  18. Scheme 1 (2/4)

  19. Scheme 1 (3/4) • One-way function • Given x, to compute f(x) = y is easy. • Given y, to find x s.t. f(x) = y is hard. • One-way trapdoor • f() is a one-way function. • Given a secret s, given y, to find x s.t. f(x) = y is easy. • Trapdoor permutation • f() is a one-way trapdoor. • f() is bijective.

  20. Scheme 1 (4/4)

  21. Security Analysis(1/21) • Against an adaptive chosen-ciphertext attack.(IND-CCA2) • In the scenario, the adversary makes of queries of her choice to a decryption oracle during two stages.

  22. Security Analysis(2/21) • The first stage, the find stage • Attacker chooses two messages. • Requests encryption oracle to encrypted one of them. • the encryption oracle makes the secret choice of which one.

  23. Security Analysis(3/21) • The second stage, the guess stage • To query the decryption oracle with ciphertext of her choice. • Finally, she tell her guess about the choice the encryption oracle made.

  24. Security Analysis(4/21) • Random oracle • A t-bit random number • Two hash functions • G, H: {0,1}* →{0,1}|n|

  25. Security Analysis(5/21) • Provided t=Ω(|n|δ) for δ>0, Scheme 1 is semantically secure against adaptive chosen-ciphertext attacks (IND-CCA2) under the Decision Composite Residuosity assumption (D-Class assumption) in the random oracle. • D-Class[n] • decisional Class[n] problem • given w∈Zn2*,g∈B, x∈Zn, decide whether x=[w]g or not

  26. Security Analysis(6/21) • An adversary A=(A1,A2) against semantic security of scheme 1. • A1: the find stage • A2: the guess stage • This adversary to efficiently decide nth residuosity classes.

  27. Security Analysis(7/21) • Oracle G • Indistinduishability of encryption • Oracle H • Adaptive attack

  28. Security Analysis(8/21) • Simulation of the Decryption Oracle • The attacker asks for a ciphertext c to be decrypted. • The simulator checks in the query-history from the random oracle H. • Whether some entry leads to the ciphertext c and then return m; otherwise, it return “failure”.

  29. Security Analysis(9/21) • Quasi-perfect simulation • The probability of producing a valid ciphertext without asking the query (m,r) to the random oracle H (whose answer a has to satisfy the test an = z mod n) is upper bounded by 1/ψ(n)≦2/n, which is clearly negligible.

  30. Security Analysis(10/21) • Initialization • n=pq, g∈Zn2* • Public: n,g • Private: λ

  31. Security Analysis(11/21) • Encryption • Plaintext: m < 2|n|-t-1 • Randomly select r < 2t • z=H(m,r)n mod n2 • M=m||r +G(z mod n) mod n • Ciphertext: c=gMz mod n2

  32. Security Analysis(12/21) • Decryption • Ciphertext: c=gMz mod n2 ∈Zn2* • M=[L(cλmod n2)/L(gλmod n2)] mod n • z’=g-Mc mod n • m’||r’=M-G(z’) mod n • If H(m’,r’)n = z’ mod n, then the plaintext is m’ • Otherwise, output “failure”

  33. Security Analysis(13/21) • Attacker A to design a distinguisher B for nth residuosity class. • (w,α) is a instance of the D-Class problem, where α is the nth residuosity class of w. • D-Class[n] • decisional Class[n] problem • given w∈Zn2*,g∈B, α∈Zn, decide whether α=[w]g or not

  34. Security Analysis(14/21) • Distinguisher B(1/2) • Randomly chooses u∈Zn, v∈Zn*, 0≦r<2t. • Compute the follows • z=wg-αvn mod n • c=wguvn mod n2 • Run A1 and gets two messages m0,m1

  35. Security Analysis(15/21) • Distinguisher B(2/2) • Chooses a bit b • Run A2 on the ciphertext c, supposed to the ciphertext of mb and using the random r.

  36. Security Analysis(16/21) • Shut this game down • z is asked to the oracle G, shut this game down and B return 1. • This event will be denote by AskG • If (m0,r) or (m1,r) are asked to the oracle H, shut this geme down and B return 0. • This event will be denote by AskH • In any other case, B return 0 when A2 end.

  37. Security Analysis(17/21) • One event AskG or AskH is likely to happen, B terminate the game. • The random choice of r, Pr[AskH]=O(qH/2t) in any case, qH=#(queries asked to the oracle H) and 0≦r<2t. • G and H are seen like random oracles, the attacker has no chance to correctly guess b, during a real attack.

  38. Security Analysis(18/21) • In α=[w]g case • If none of the events AskG or AskH occur, then • AdvA ≦ Pr[ AskG ∨ AskH | [w]g = α]

  39. Security Analysis(19/21) • In α≠[w]g case • z is perfectly random (independent of c), then Pr[AskG] ≦ qG/ψ(n), qG=#(queries asked to the oracle G) and u∈Zn, v∈Zn*, z=wg-αvn mod n

  40. Security Analysis(20/21) • The advantage of distinguisher B in deciding the nth residuosity classes:

  41. Security Analysis(21/21) • Reduction Cost • If there exists an active attacker A against semantic security, one can decide nth residuosity classes with an advantage greater then

More Related